Key Takeaways:

Data Protection Considerations

With particular regard to the use of COVID-19 mobile warning and prevention applications, the following principles should be observed:

Safeguards ensuring respect for fundamental rights and prevention of stigmatization, in particular applicable rules governing protection of personal data and confidentiality of communications

Preference for the least intrusive, yet effective measures, including the use of proximity data and the avoidance of processing data on the location or movements of individuals, and the use of anonymized and aggregated data where possible

Effective cybersecurity requirements to protect the availability, authenticity, integrity and confidentiality of data

The expiration of measures taken and the deletion of personal data obtained through these measures when the pandemic is declared to be under control, at the latest

Uploading of proximity data in case of a confirmed infection and appropriate methods of warning persons who have been in close contact with the infected person, who shall remain anonymous

Transparency requirements on the privacy settings to ensure trust into the applications.

With Respect to the Use of Mobility Data, Consider:

The appropriate use of anonymous and aggregated mobility data for modelling to understand how the virus will spread and modelling of the economic effects of the crisis

Advice to public authorities on asking providers of the data for the methodology that they have applied for anonymizing the data and to carry out a plausibility test of the methodology applied

Safeguards to be put in place to prevent de-anonymization and avoid re-identification of individuals, including guarantees of adequate levels of data and IT security, and assessment of re-identification risks when correlating the anonymized data with other data

Immediate and irreversible deletion of all accidentally processed data capable of identifying individuals and notifying the providers of the data as well as competent authorities of the accidental processing and deletion

Deletion of the data in principle after 90 days, or in any event no later than when the pandemic is declared under control

Restricting processing of the data exclusively for the purposes stated above and exclude sharing of the data with any third party.

Odia Kagan is Chair of the firm's GDPR Compliance & International Privacy Practice. She can be reached at 215.444.7313 or [email protected].